Uncategorized —

Automatic patching and SQL Server

Microsoft may build auto-patching functions into the next version of SQL …

eWeek has an article up discussing the possibility of Microsoft including automatic patching in the next version of SQL Server. The article is unclear about what exactly this would entail, but it appears the automatic patching will work much like the current Windows Update service in Windows XP.

Under consideration is an agent that will act in a similar manner to that of the bubble that pops up in Windows XP systems to alert users when updates are available. This agent contains links to a site that lists available patches for given systems. The site gives users the opportunity to pick and choose which patches they want to install at a given time.

The implications of an automatic patching system on mission critical servers (which many SQL Server installations are) require some careful consideration. Not only do patches occasionally break systems, but the inclusion of an internal patching mechanism that draws from a central source creates potential vulnerabilities. The systems administrators quoted in the article are understandably worried, but I think it's a bit hasty to unequivocally state that an autopatching solution is a "bad idea?".

As most visitors to Ars are aware, many people that get thrown into a systems administration role are unsuited for the task. Such glaring ignorance is demonstrated every time there's an outbreak of something like SQL Slammer, a worm rendered ineffective by a patch released months before the outbreak. The good administrators either had the patch installed, or had sufficiently strict firewalls to negate the effects of the worm. In a perfect world, every systems administrator would have instant access to all the latest security bulletins, updates and best practices. Unfortunately, with the ease of use Microsoft strives for comes a lower barrier to entry for administrators. Given the number of secretaries-turned-IT-gurus, it seems like an incredibly good idea to have some form of automated patching available for the software they're in charge of. After all, the experienced and security conscious administrators can always turn it off.

Of course, there?s another problem at work here: the matrix of confusion caused by the need to patch software quickly, plus the need to make sure that the patch doesn?t break your system, your custom apps, and the like. Those who reject the potential for human-less automatic updates will tell you straightaway that they don?t trust the patches themselves. If admins run into situations where the patches aren?t bullet proof out of the box, will a more aggressive push system that still requires human intervention be of use, either?